/** * SQL Safety Utilities * * Centralized SQL injection prevention utilities including: * - Identifier validation and escaping * - Input validation for various SQL contexts * - SQL template literal tag for safe parameterized queries * - Comprehensive injection pattern detection * * @module sql-safety */ /** Maximum length for SQL identifiers (table names, column names, etc.) */ export declare const MAX_IDENTIFIER_LENGTH = 128; /** Maximum length for document/batch IDs */ export declare const MAX_ID_LENGTH = 256; /** Maximum length for field paths */ export declare const MAX_FIELD_PATH_LENGTH = 256; /** * Reserved SQL keywords that cannot be used as identifiers. * This is a comprehensive list covering SQLite, PostgreSQL, and MySQL. */ export declare const SQL_RESERVED_KEYWORDS: Set; /** * Dangerous SQL patterns that indicate potential injection. * These patterns detect common SQL injection attempts. */ export declare const SQL_INJECTION_PATTERNS: readonly RegExp[]; /** * Error class for SQL injection prevention */ export declare class SqlInjectionError extends Error { /** * The input that triggered the error */ readonly input: string; constructor(message: string, input: string); } /** * Check if a string is a valid SQL identifier * * Valid identifiers must: * - Start with a letter or underscore * - Contain only alphanumeric characters and underscores * - Be between 1 and MAX_IDENTIFIER_LENGTH characters * - Not be a reserved SQL keyword * * @param name - The string to validate * @returns True if the string is a valid identifier */ export declare function isValidIdentifier(name: string): boolean; /** * Check if a string is a valid document/batch ID * * Valid IDs must: * - Contain only alphanumeric characters, underscores, and hyphens * - Be between 1 and MAX_ID_LENGTH characters * * @param id - The string to validate * @returns True if the string is a valid ID */ export declare function isValidId(id: string): boolean; /** * Check if a string is a valid field path (dot-notation) * * Valid field paths must: * - Be between 1 and MAX_FIELD_PATH_LENGTH characters * - Consist of valid identifier parts separated by dots * * @param path - The string to validate * @returns True if the string is a valid field path */ export declare function isValidFieldPath(path: string): boolean; /** * Checks if an identifier is safe without throwing an error. * This is an alias for isValidIdentifier for API compatibility. * * @param identifier - The identifier to check * @returns true if the identifier is safe, false otherwise */ export declare function isValidSqlIdentifier(identifier: string): boolean; /** * Validates that a string does not contain SQL injection patterns * * @param input - The input string to validate * @param context - Context for error messages (e.g., 'query', 'value') * @throws SqlInjectionError if injection pattern is detected */ export declare function detectSqlInjection(input: string, context?: string): void; /** * Checks if a string contains SQL injection patterns without throwing * * @param input - The input string to check * @returns True if injection pattern is detected, false if safe */ export declare function containsSqlInjection(input: string): boolean; /** * Validates that a string is a safe SQL identifier (table name, column name, etc.) * * @param identifier - The identifier to validate * @param type - Type of identifier for error messages (e.g., 'table', 'column') * @throws SqlInjectionError if the identifier is invalid */ export declare function validateSqlIdentifier(identifier: string, type?: string): void; /** * Validate a schema name * @param name - The schema name to validate * @throws SqlInjectionError if the name is invalid */ export declare function validateSchemaName(name: string): void; /** * Validate a metadata key * @param key - The metadata key to validate * @throws SqlInjectionError if the key is invalid */ export declare function validateMetaKey(key: string): void; /** * Validate an index name * @param name - The index name to validate * @throws SqlInjectionError if the name is invalid */ export declare function validateIndexName(name: string): void; /** * Validate a collection/table name * @param collection - The collection name to validate * @throws SqlInjectionError if the name is invalid */ export declare function validateCollectionName(collection: string): void; /** * Validates and sanitizes a column/field name * Supports dotted notation for nested fields (e.g., "user.address.city") * * @param column - The column name to validate * @throws SqlInjectionError if the column name is invalid */ export declare function validateColumnName(column: string): void; /** * Validate a field name/path * @param field - The field name to validate * @throws SqlInjectionError if the name is invalid */ export declare function validateFieldName(field: string): void; /** * Validate a document ID * @param docId - The document ID to validate * @throws SqlInjectionError if the ID is invalid */ export declare function validateDocumentId(docId: string): void; /** * Validate a batch ID * @param batchId - The batch ID to validate * @throws SqlInjectionError if the ID is invalid */ export declare function validateBatchId(batchId: string): void; /** * Escape a SQL identifier (table name, column name, index name) for safe use in SQL * * This function: * 1. Validates the identifier * 2. Wraps it in double quotes * 3. Escapes any internal double quotes by doubling them * * @param name - The identifier to escape * @returns The escaped identifier * @throws SqlInjectionError if the identifier is invalid */ export declare function escapeIdentifier(name: string): string; /** * Escape special characters in a LIKE pattern * * Escapes %, _, and \ characters so they are treated as literals. * Note: This should only be used for pattern escaping, not for general SQL values. * General values should use parameterized queries. * * @param pattern - The pattern to escape * @returns The escaped pattern */ export declare function escapeLikePattern(pattern: string): string; /** * Alias for escapeLikePattern for API compatibility */ export declare const escapeSqlLikePattern: typeof escapeLikePattern; /** * Result of a SQL template literal */ export interface SqlQueryResult { /** The SQL query string with ? placeholders */ query: string; /** The parameter values in order */ params: unknown[]; } /** * SQL template literal tag for creating safe parameterized queries * * This tag function allows you to write SQL queries with embedded values * that are automatically converted to parameterized queries. * * @example * ```typescript * const name = "test"; // potentially untrusted input * const age = 25; * * const { query, params } = sql` * SELECT * FROM users * WHERE name = ${name} AND age > ${age} * `; * * // query: "SELECT * FROM users WHERE name = ? AND age > ?" * // params: ["test", 25] * * sql.exec(query, ...params); * ``` * * @param strings - The static parts of the template literal * @param values - The interpolated values * @returns An object with the query string and parameter array */ export declare function sql(strings: TemplateStringsArray, ...values: unknown[]): SqlQueryResult; /** * SQL template tag for queries with IN clauses containing arrays * * Handles array values by expanding them to multiple placeholders * * @example * ```typescript * const ids = ["a", "b", "c"]; * const { query, params } = sqlIn` * SELECT * FROM users WHERE id IN (${ids}) * `; * * // query: "SELECT * FROM users WHERE id IN (?, ?, ?)" * // params: ["a", "b", "c"] * ``` * * @param strings - The static parts of the template literal * @param values - The interpolated values (arrays are expanded) * @returns An object with the query string and parameter array */ export declare function sqlIn(strings: TemplateStringsArray, ...values: unknown[]): SqlQueryResult; /** * Branded type for validated SQL identifiers */ export type ValidatedIdentifier = string & { readonly __brand: 'ValidatedIdentifier'; }; /** * Branded type for validated document IDs */ export type ValidatedId = string & { readonly __brand: 'ValidatedId'; }; /** * Branded type for validated field paths */ export type ValidatedFieldPath = string & { readonly __brand: 'ValidatedFieldPath'; }; /** * Create a validated identifier (returns branded type) * * @param name - The identifier to validate * @returns The validated identifier * @throws SqlInjectionError if the identifier is invalid */ export declare function validatedIdentifier(name: string): ValidatedIdentifier; /** * Create a validated ID (returns branded type) * * @param id - The ID to validate * @returns The validated ID * @throws SqlInjectionError if the ID is invalid */ export declare function validatedId(id: string): ValidatedId; /** * Create a validated field path (returns branded type) * * @param path - The field path to validate * @returns The validated field path * @throws SqlInjectionError if the field path is invalid */ export declare function validatedFieldPath(path: string): ValidatedFieldPath; //# sourceMappingURL=sql-safety.d.ts.map